> -----Original Message-----
> From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> [mailto:sbradcpa@pacbell.net]
> Sent: Tuesday, November 15, 2005 8:52 PM
> To: James Eaton-Lee
> Cc: Marcos Marrero; focus-ms@securityfocus.com
> Subject: Re: ISA Server or Firewall Appliance?
>
> The annoying SBSer with ISA on her box is going to challenge
> you on that one.
>
> What exactly doesn't feel quite right? Why does it not feel right?
>
> In my network I like it because it's on a platform that I can
> monitor easier. Control better. Patch easier. [WSUS will
> soon support ISA as a matter of fact]
>
> Isn't the same true for big networks?
>
> I think we all need to let go of our OS perceptions and look
> at the realities of operating systems these days and what
> not. If we can't control it...understand it...I'm not sure
> it's not helping in the security fabric of my network.
>
> Our firewalls are not our perimeters any more.
>
> http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?Eve> ntID=1032286231&EventCategory=3&culture=en-US&CountryCode=US
>

I'll add my two cents - I've never used ISA (or Cisco, Juniper,
WatchGuard, etc.), in fact I've only ever used netfilter on Debian
Linux, with no GUI and as few packages installed as necessary. I believe
in deploying servers with the minimum number of services required for it
to function as intended.

I don't need a GUI to configure my firewall, nor do I need Remote
Desktop or IIS or a JVM or DCOM or wallpaper or Windows startup sounds
or a certification from Cisco. However, I did need to spend a lot of
time learning how network protocols, NAT, connection tracking and
netfilter work. I think it was well worth the investment.
Performance-wise, I believe Netfilter is adequate: 200,000 pps/20,000
new requests per second, with filtering, connection tracking, and NAT on
an Opteron-based system (Intel was significantly slower).

I think it depends on whether you need something to work now, securely,
or whether you can trade off time for a minimal installation, which is
theoretically more secure than one which brings the trappings of a
user-oriented operating system, like Windows or Red Had/SUSE.

Relevant Pages

Re: Internet Intermittent Connection... Here are my IPs for the network:...ISA Internal NIC: 192.168.100.1 ...Modem External: Public IP Address ... I have an intermittent Internet connection that has been going on for ...(microsoft.public.isa)

Re: Disable dynamic route entries in Windows 2003?... and how they're configured/managed by the network folks.... My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ, ... So, from the standpoint of ISA Server, there are two separate interfaces ... the "Internal VLAN can NOT route to the Internet VLAN,...(microsoft.public.windows.server.networking)

RE: SBS 2003, ISA 2004...ISA and IIS try listening on these two ports. ... by default the Web Proxy is listening on port 8080 ... of the local network adapter....Microsoft CSS Online Newsgroup Support...(microsoft.public.windows.server.sbs)

Re: VPN not working when i connect through SBS 2003 server running ISA 2004... appears in the Application log in ISA Server 2006 or in ISA Server 2004 ... do not correlate with the network element to which this adapter belongs. ...VPN to another network where there is a Draytek router as ... Telnetting to port 1723 on network 1 seems to elicit a connection....(microsoft.public.windows.server.sbs)